Assessing Risks to Systems

It is also useful to assess the risk to a system of a particular vulnerability. Where we discover several issues with a system, this can allow us to concentrate our efforts on the one with the most serious impact

For example, assume the factors we include in the risk assessment are:

• Severity: The security implications to the system of this risk
• Likelihood: How likely it is this risk will occur.

After our assessment we have the following vulnerabilities

Vulnerability	Severity	Likelihood
Vuln 1	Low	Very High
Vuln 2	Very High	Low
Vuln 3	High	High

While Vulnerability 2 has the highest severity, it also has a very low chance of occurring (for example, it requires some custom exploit development, or deep understanding of the underlying system).
Therefore we may want to concentrate our efforts, on Vulnerability 3 first, as it has a both high chance of occurring, and a high severity.

Risk Assessment Standards

Ideally there would be one single vulnerability risk rating standard. However, as the level of risk depends on the organisation and applications, there are several formats you could use.

standards

Lets look at three of these standards in more detail

OWASP Risk Assessment Methodology ¹

Assesses the Risk based on two elements:

• The Overall Likelihood
• The Overall Impact

Likelihood

Likelihood is estimated based on the following factors. Estimated on a level of 0-9

• Threat Agent Factors

  Are related to the attacker themselves, and a combination of:

  • Skill Level
  • Motive
  • Opportunity
  • Size (How big are the group of people who could exploit this)

• Vulnerability Factors

  Determine how likely it is that this particular vulnerability will be discovered and exploited.

  • Ease Of Discovery
  • Easy Of Exploit
  • Awareness (How well known is the vulnerblity)
  • Intrusion Detection (How likely is an exploit to be detected)

Impact

As with Likelihood, Impact is measured on based on two categories.

• Technical Impact

  Covers areas identified by the CIA triangle

  • Loss of Confidentiality
  • Loss of Integrity
  • Loss of Availability
  • Loss of Accountability

• Business Impact

  This is much harder to quantify, as it requires an understaing of what is imporatnt to the organisation running the application. However, there are some common areas

  • Financial damage
  • Reputation Damage
  • Non-Compliance
  • Privacy Violation (how many customers would be affected)

Calculating the Score.

We can then add up the scores for each category to get an overall idea of the risk rating

\[\begin{align} \text{Likelihood} & = \text{Average}(\text{Threat Agent Factors} + \text{Vulnerblity Factors}) \\ \text{Impact} & = \text{Average}(\text{Technical Impact}+ \text{Business Impact}) \end{align}\]

Then calculate the Overall severity of the vulnerblity. Where

• 0 to 3 == Low
• 3 to 6 == Medium
• 6 to 9 == High

SANS Institute ²

The sans institute takes a similar approach to OWASP when categorising vulnerabilities. However, it has a higher level overview, focusing on two factors.

Severity

Represents the impact of the vulnerblitiy

• Minor Severity

  The vulnerblity requres significant resourses to exploit (IE is hard to do). There is little potential for loss

• Moderate Severity

  The Vulnerbility requires significant resourses for exploit, with signficant potential for loss.

  OR

  The Vulnerbility requres little resources to explit, with moderate potental for loss.

• High Severity

  The Vulnerblity requires few resourses to exploit, with significant potentail for loss

Exposure

Represents the number of components in the system (or amount of data) that the vulnerblity exposes.

• Minor Exposure

  The vulnerbvlity effects only specific systems.
  It will not increase the chances of additional vulnerbilities being exploited

• Moderate Exposure

  Can effect more than one system element or component. May also lead to additional vulnerblityes being exploited.

• High Exposure

  Effects the majority of system componenets. High chance of addtional vulnerblitites being exploited.

Calculating theScore

Scores are calculated based on a combination of factors

CVE / CVSS Ratings³

CVE's (Common Vulnerabilities and Exposures) are used to classify vulnerabilities. This aims to standardise the way that vulnerabilities are reported, and assessed.

A database of CVE's is maintained by the US Government and the MITRE corporation, with newly reported vulnerabilities assigned ad CVE number and Score.

You can search the CVE database at cve.mitre.org. For example:

• CVE-2017-0144 Eternal Blue, used in the WannaCry Malware (and others)
• CVE-2018-1133 "Evil Teacher" bug, allowing RCE in Moodle.

CVSS

CVE are rated based on the CVSS (Common Vulnerblity Scoring System), which takes into account many factors, including:

• Complexity of Exploit
• Does the attacker need to be authorized
• Impact on each element of the CIA Triangle
• Does known exploit code exist
• Is there a known fix for the exploit.

Note

The CVE score calulations are quite complex, and require specialist input. Knowing that they exist, and the levels they represent is fine.

Vulnerabilities are given a score between 0-10, representing how critical the flaw is.

Summary

In this article we have looked at some of the common ways of classifying vulnerabilities.

These systems allow us to discuss the issues in a standardized way, and prioritise flaws to be fixed.

Comparing Rating Systems #compareRatings

The OWASP and SANS vulnerbility rating systems, allow us to rate security flaws in our own systems. While they aim to do the same thing, they both take a differnt approach.

• Which of the two rating systems do you prefer?
  • Is there any information missing that could help in assessment

---

1. OWASP Risk Assessment Methodology ↩

2. SANS Institute Risk Assessment ↩

3. Overview of CVSS ↩